Tutorial  on  ContainersLinux

What's Inside Distroless Container Images: Taking a Closer Look

GoogleContainerTools' distroless images are often mentioned as one of the ways to produce small(er), fast(er), and secure(r) containers. But what are these distroless images, really? What's the difference between a container image built from a distroless base and one built FROM scratch? Let's dive in!

Why Do We Need Distroless Images?

Container images built FROM full-blown Linux distributions like debian, ubuntu, or their derivatives (e.g., node:lts or python:3) often come packed with tools and libraries. While comprehensive for day-to-day tasks, most of these components are unnecessary for typical containerized applications at runtime. The result? Larger image sizes and more potential vulnerabilities to manage for no good technical reason.

The desire to create smaller, more secure container images by including only the essentials is natural. The most extreme approach to achieving this minimalism is starting FROM scratch - an empty base image - and adding only the application files and packages truly necessary for your container to function.

However, as discussed in the previous post, this approach may require significant manual effort because by default, scratch-based containers miss:

  • System directories like /tmp, /home, or /var.
  • CA certificates for secure connections.
  • User management files (/etc/passwd, /etc/group).
  • Shared libraries for dynamically linked applications.
  • Time zone information.

...and possibly more.

While FROM scratch containers offer a clean start, they are often incomplete and potentially problematic for production use without significant manual effort to fill in the gaps.

That's where distroless images come in! The GoogleContainerTools/distroless project provides prebuilt minimal base images that are as close to scratch as possible but have the necessary system files and folders in place.

The only thing you need to get started with the distroless images is to understand their hierarchy and pick the one that best fits your application's requirements.

Meet the First Distroless Image: gcr.io/distroless/static

A good starting point to become familiar with the GoogleContainerTools distroless collection is the gcr.io/distroless/static image:

docker pull gcr.io/distroless/static
docker images

REPOSITORY                     TAG       IMAGE ID       SIZE
gcr.io/distroless/static       latest    5d7d2b425607   1.99MB

Inspecting its filesystem tells us that:

  • It's just ~2MB (which is ~25% of the alpine image size 🤯)
  • It has a typical Linux distro directory structure inside.
  • The /etc/passwd, /etc/group, and even /etc/nsswitch.conf files are in place.
  • Certificates and the time zone information are present as well.
  • The image is Debian-based (so, there is a distro in the distroless image after all, but it's stripped down to the bones).
  • Last but not least, the licenses seem to be preserved (but I'm not a copyright expert).
The contents of the gcr.io/distroless/static image.

Premium Materials

Official Content Pack required

This platform is funded entirely by the community. Please consider supporting iximiuz Labs by upgrading your membership to unlock access to this and all other learning materials in the Official Collection.

Support Development

How to Author Tutorials on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull tutorial content

labctl content pull tutorial gcr-distroless-container-images

This will create a local copy of the tutorial content in a directory named gcr-distroless-container-images. You only need to do this once per tutorial.

Stream your changes

labctl content push -fw tutorial gcr-distroless-container-images

Run this command in a separate terminal to continuously upload your changes to the server while editing the tutorial in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start tutorial